-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some metadata validation is missing from flit_core
?
#580
Comments
Thanks! It's sort of intended behaviour - the net result obviously isn't desirable, but the pieces that go into it are deliberate. My expectation when I designed this was that package producers - the people who choose to use Flit to publish their package - would use the build (the project providing |
Thanks @takluyver! Your explanation helps a lot. To rephrase from the perspective of a package repository maintainer:
So my take-away for future work as a package repository maintainer is: |
The `flit` command performs some up-front validation before it actually builds the package. This is intended for upstream project maintainers so they have a chance to learn about issues before they proceed to cut a release. Once a package is released, people who consume the package (which includes package repository maintainers) are assumed to be mainly interested in getting the already-released package to build. Therefore, they may simply want to run the build backend without caring about up-front validation. That’s what the `build` command does: invoke the suitable build backend, which in the case of `flit`, doesn’t run the validation steps. See discussion in [1]. [1]: pypa/flit#580 CC: Thomas Kluyver <[email protected]> CC: William Woodruff <[email protected]>
The `flit` command performs some up-front validation before it actually builds the package. This is intended for upstream project maintainers so they have a chance to learn about issues before they proceed to cut a release. Once a package is released, people who consume the package (which includes package repository maintainers) are assumed to be mainly interested in getting the already-released package to build. Therefore, they may simply want to run the build backend without caring about up-front validation. That’s what the `build` command does: invoke the suitable build backend, which in the case of `flit`, doesn’t run the validation steps. See discussion in [1]. [1]: pypa/flit#580 CC: Thomas Kluyver <[email protected]> CC: William Woodruff <[email protected]>
That sounds right. It depends a bit on the nature of your repository, but if there are problems with the package, you probably can't fix them as easily as the package authors (even if you have a patching mechanism, the downstream packaging ecosystems I've seen generally prefer not to use this unless necessary).
Makes sense. It also has the advantage that the same build command should work for any Python package, regardless of whether they use Flit, Setuptools, Poetry, Hatch, or other packaging tools. Depending on how tightly your repository likes to control things, this can be a big simplification or a small one. |
First of all, thanks a ton for
flit
! We are very, very happy with it onpip-audit
🙂Someone raised an issue with us recently (pypa/pip-audit#353), noting a discrepancy between these two commands:
In particular, the former (correctly) warns about invalid classifiers, while the latter doesn't:
and:
In particular, this seems to be happening since
flit.validate
is not part offlit_core
.Is this intended behavior and, if so, is it documented anywhere? It makes sense to me that the
flit
package would contain more functionality thanflit_core
, but the discrepancy in validation was slightly surprising as an end user 🙂The text was updated successfully, but these errors were encountered: